Earlier this week the Dutch government announced that it would not be seeking to curtail or backdoor encryption. This has been seen as a big win for privacy. In reality, as Matthijs R. Koot notes in his English translation, this is not a permanent rejection but a disinclination to do anything ‘at this time‘.

Nevertheless, industry, media and commentators have applauded the Dutch. One example comes from Dr Nithin Thomas, Co-Founder and CEO of SQR Systems:

The decisive announcement from the Netherlands to maintain strong encryption and avoid implementing back-door access sets a powerful example that other world governments should follow.

Thomas supports encryption but also supports lawful access by governments. This is problematic: you cannot have encryption accessible only by government.

The issue is that cryptography depends on a set of mathematical relationships that cannot be subverted selectively. They either hold completely or not at all. It’s not something that we’re not smart enough to do; it’s something that’s mathematically impossible to do. I cannot backdoor software specifically to spy on jihadists without this backdoor applying to every single member of society relying on my software.
Nadim Kobeissi: On Encryption and Terrorists

But Thomas thinks he has the solution:

Rather than pursuing any approach that would make current encryption technology less secure, we must ensure that the organizations and individuals that own the data are able to access and control it themselves. This would allow them to comply with legal needs during investigations and criminal proceedings without compromising security. This requires communications service providers to re-think their communications security architecture and corporate policy to enable them to deal with legal intercepts.

This isn’t just wrong, it is dangerous. It means that people who store encrypted data should retain access to the keys. Now that is fine for companies encrypting their own intellectual property, but it comes unstuck over personal information. There are thousands of cloud companies storing masses of personal data. Many of those companies are American, and some have T&Cs that specifically state any data stored with them becomes their own copyright.

I very much doubt that many users have read the T&Cs of the clouds they use. So they won’t be aware that they have just given ownership of their data to an American company which can be compelled by law to give that data to the US government. It doesn’t matter what protestations the companies make, they will eventually hand over the data. And if it is encrypted and they have the keys, those companies can be compelled to hand over the keys as well.

Where the Thomas argument falls down is in suggesting that there is any alternative to full strong encryption. Communicating personal information requires end-to-end encryption. Storing personal information requires encryption without the keys ever leaving the possession of the user. There is no alternative. Anything less offers false, in fact non-existent, privacy.

But as a final comment we should beware of any suggestion that governments should have legal access. That would be fine if we could trust governments to act legally. We cannot because they do not. And if they get caught out, they play games at changing the laws to suit the people but worded in such a way as to legalize what they currently do illegally.